Key insights
- Set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and help counter potential risk.
- Many weaknesses in internal controls can be uncovered by a fraud risk assessment.
- Involving a forensic investigator can provide additional tools and resources to the internal audit team, such as data recovery and surveillance.
Need help improving your company’s internal processes?
The following circumstances are based on a real-life case study. Names were changed for confidentiality.
A long-time company employee steals $4 million to fund her business venture
Jane Dosh was the comptroller and a trusted employee at ABC Co. (ABC) — a small and close-knit family business catering to high-net-worth families and individuals — for almost 15 years. As comptroller, she managed many aspects of ABC’s financials such as paying bills, managing payroll, and purchasing supplies for the company and clients — with oversight from Robert Smith, the company’s co-founder.
Smith was responsible for monitoring the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload due to her impressive track record with the company. The added responsibility meant she handled every aspect of the company’s finances with no oversight. She continued in that role for the next few years — until she unexpectedly resigned on December 31, 2016.
Internal Audit Manager Heather Dittman was the sole internal auditor at ABC. As part of her annual plan, Dittman performed a standard review of the accounts payable process. The audit program included sampling transactions, checking support, and confirming appropriate authorizations. During her latest review, she documented several unsupported and unexplained transactions.
Unable to obtain answers from Dosh and concerned about missing records, Dittman escalated her concerns to the CEO and CFO and recommended a forensic review. Given Dosh’s control of the financial processes, it appeared possible that she had defrauded the company and covered it up. Concerned about the extent of the fraud and the company’s ability to recoup the money, management agreed to the forensic review.
The forensic review began with traditional physical surveillance of Dosh to uncover the facts necessary to figure out the fraud. On the second day of surveillance, Dosh went to a local clothing boutique. This piece let the investigators assemble the rest of the puzzle.
Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, was granted a company credit card, and Dosh saw her chance. She had access to the new card’s information and knew nobody would be monitoring the credit card activity but her. Dosh set up a store account using Brown’s company credit card. She would pay off her purchases on the company card every month from ABC’s checking accounts.
When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a boutique clothing and accessory business owned by Dosh. Dosh had also forged the signature of the second company co-founder on multiple fraudulent checks to purchase personal goods and services, including payments to family-owned businesses.
Private investigators followed Dosh for weeks to locate where she was storing the fraudulent purchases. Forensic accountants went through years of company financial documents to tally up the total amount of fraud. In just five years, she embezzled more than $4 million from the company.
ABC and the investigators turned the case over to law enforcement. ABC then implemented several policies and procedures to prevent the company from getting defrauded again, including:
- Dispersing cash only after appropriate management authorization and only with dual approvals over certain threshold amounts to verify company funds are being spent on approved business purposes
- Reviewing all cash receipts and disbursements for fraud and accounting errors as part of a monthly bank reconciliation
- Separating financial duties so that no one person handles all the responsibilities
- Backing up all financial transaction source documents to multiple locations so documents aren’t lost if any one location is compromised
- Developing a systematic process of evaluating potential risk that allows internal audit to review, assess, and identify weaknesses in internal controls and also points out areas of high risk concerning fraud
In implementing the above, ABC realized internal controls do not have to be an impediment that slows down work processes. While there is no such thing as a one-size-fits-all system, sharpening the focus of their internal controls helped safeguard and develop the business.
Lessons learned
- No company is immune to fraud. Set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and help counter potential risk.
- Internal auditors should use a fraud risk assessment to help leadership in small companies understand the extent of their vulnerability to fraud. Significant gaps in procedure or segregation of duties can be identified during the process without substantial investment.
- Internal auditors should include a fraud risk assessment as a standard for their work plans. It applies to every company and is the most compelling method of educating management about fraud vulnerabilities.
- Internal audit needs to know when to involve a forensic investigator. Forensic professionals can provide different tools, such as recovering erased hard drives and surveillance, and will preserve the chain of evidence in a fraud case.
How we can help
The discovery of fraudulent activity in your business can come as a shock. Our experienced CPAs, technology professionals, certified fraud examiners, and retired FBI agents can quickly help you identify financial irregularities and make recommendations to help you improve internal processes.